Shorewall and static routing?

Kenneth Burgener kenneth at mail1.ttak.org
Sat Aug 11 23:39:47 MDT 2007


Sorry for the delay in my response.

Gabriel Gunderson wrote:
> On Fri, 2007-08-10 at 10:56 -0600, Kenneth Burgener wrote:
>> I have in my rules:
>>   DNAT            net             lan:10.10.10.3  udp     1194 -
>> 65.X.X.X
> 
> This looks like a shorewallism.  What does the 65.X.X.X stand for?  Is
> that your public IP obfuscated?  If so, I assume the whole thing is
> spelled out in your config?

Yes, that is my public Qwest IP address obfuscated.


>> Here is how I am adding a static route:
>>   route add -net 10.10.20.0 netmask 255.255.255.0 gw 10.10.10.3 dev
>> eth1
> 
> This shouldn't need the "dev eth1" What do you get without it.  Still, I
> doubt it makes any difference.

Yeah, adding the "dev eth1" does not appear to make any difference.


>> My policy has:
>>   $FW             net             ACCEPT
>>   $FW             lan             ACCEPT
>>   lan             $FW             ACCEPT
>>   lan             net             ACCEPT
> 
>> I watch the message log, and it does not appear that shorewall is
>> dropping any connections
> 
> If you are dropping packet anywhere?  If so, are they *ALL* being
> logged?  When I say *ALL* I mean *ALL*.  Otherwise, it's like a
> blackhole and troubleshooting is a nightmare.

They are not being logged anywhere I can tell.  To me it seems that they
are just disappearing into a black hole.


>> so it appears that I am just doing the routing wrong.
> 
> Keep it simple.  Try pinging the VPN gw (10.10.20.1) from the 10.10.10.X
> subnet without using any OpenVPN stuff.  First establish the route and
> then try for a VPN connection.  Run tcpdump with the right filters on
> both the router and the VPN gw (don't tell me OpenVPN is running on
> Windows and doesn't have tcpdump!).

I ran tcpdump on the gateway, and as far as I can tell I can see the
traffic coming in, and being routed back out.  I am just not sure where
it is being routed to.

> Let us know what you find out.
> 
> Gabe



Thanks for your response.

Kenneth



More information about the PLUG mailing list